Solved: Puzzling results when pasting in ACL config to switch

pietro manicioto · ‎04-18-2024

Hello,

I was creating 2 decently large ACL's to match some traffic today and I noticed something peculiar that has me puzzled.

My first ACL has approx 90 ace's and pastes them fine. When I go back and look at the ACL, it looks like there are only like 10-15 ace's and an any/any pasted as the second entry even though I did not paste this.

Strangely enough my other ACL had 380ish ace's and the ACL looks fine.

I have duplicated this multiple times across 2 different terminal emulators with the same results and I am completely perplexed by this.

pietro manicioto · ‎04-19-2024

Jesus. . . I just had a DUH moment.

So this was a large spreadsheet of static routes that I wanted to match against an ACL. I have multiple concatonate functions running to clean up the configs and most importantly match and replace functions to inverse the subnet masks. I just realized it never changed the 255.255.255.255 to 0.0.0.0 and those were the ones that were a problem.

I must have changed them properly on the other rule, but it didnt apply to this one. Sorry guys

View solution in original post

Joseph W. Doherty · ‎04-18-2024

Cannot comment on your specific case but will say in the past I've had issues pasting voluminous config statements. Never figured out why it would or wouldn't work. What seemed to always work was to place voluminous config statements in their own file on my PC and copy them to the Cisco device using the Cisco copy command.

pietro manicioto · ‎04-18-2024

Can you clarify what you mean?

I just tried manually adding the missing ace's and they are not adding. Now I wonder if I am hitting a bug, because I feel like one could never hit the acl/ace limit that the devices can handle. I just need to confirm that information.

Is there a command to see total acl/ace by chance to see if I am at that limit? I am on 9606r's and looks like for SUP1 the limits are 12,000-27,000

Joseph W. Doherty · ‎04-18-2024

Sorry, clarify what, my having experienced similar issue while pasting or copying config statements?

pietro manicioto · ‎04-18-2024

The part about copying the files. I am not sure I follow what you advised that worked for you. So you were just tftp'ing the files over?

Joseph W. Doherty · ‎04-18-2024

Yes, tftp or FTP or RCP.

Place ACL in text file that can be read from one of the foregoing and then use command line copy statement using forging as from target and running-config as to target. (Do you need sample?)

As you likely know, copying to running does a merge, not a replace.

pietro manicioto · ‎04-18-2024

Thank you for clarifying. I have since tried to manually update the ACL with no luck as well, so this is going to be a bit more complex. Maybe a bug reached?

Joseph W. Doherty · ‎04-18-2024

I've done config modifications using programs and VTY w/o issue. My guess is with some terminal programs don't coordinate their paste transmission with device buffering.

MHM Cisco World · ‎04-18-2024

MHM

pietro manicioto · ‎04-18-2024

I just do the same way I always do ACLS

ip access-list extended %ACL_NAME%

permit ip any %DEST IP ADDRESS + INVERSE MASK%

I looked up the ACL limits for this switch and I am no where even close to any limits. I also looked at the ASIC stats and do not see anything alarming.

MHM Cisco World · ‎04-18-2024

MHM

pietro manicioto · ‎04-18-2024

I have never created sequences ever in an ACL. Sequences auto create when you add te ACE's. I only ever use sequence commands when I need one to be specifically placed on a list for some need.

As mentioned in the first post, I created 2 new ACL's. Both were done in the same way and the larger one took, but the smaller one did not

MHM Cisco World · ‎04-18-2024

MHM

pietro manicioto · ‎04-18-2024

This is not applicable. Again one ACL took fine and the other did not past 22 ACE's. It appears there is a limitation in some fashion.

I have a TAC case opened at this point since I have now gotten to the point I cannot manually enter any more ACE's to this list. I have not created another ACL to test as at that point I am just creating work and guessing wasting time I think.

RAdamWilliams · ‎04-18-2024

Can you post the ACLs?